Fixed a memory safety bug caused by an overflow in nsXMLHttpRequest::AppendToResponseText (CVE-2015-2740).

Fixed a Use After Free in CanonicalizeXPCOMParticipant (CVE-2015-2722).

Fixed off-main-thread nsIPrincipal use of various consumers in the tree (only grab the principal when needed).

Fixed an issue where an IPDL message was sent off the main thread.

Fixed a potentially exploitable TCPSocket crash due to a race condition.

Fixes/changes:

A complete list of the fixes, changes and additions is available in the Release Notes. Some of the changes that may be of particular interest to users are as follows:

Canvas anti-fingerprinting option: Pale Moon now includes the option to make canvas fingerprinting much more difficult. By setting the about:config preference canvas.poisondata to true, any data read back from canvas surfaces will be "poisoned" with humanly-imperceptible data changes. By default this is off, because it has a large performance impact on the routines reading this data.

Added a feature to allow icon fonts to be used even when users disallow the use of document-specified fonts. This should retain full navigation for icon-font heavy websites (no more dreaded "boxes" with hex codes) when custom text fonts are disabled.

Added a feature to prevent screen savers from kicking in when playing full-screen HTML5 video. This is currently not yet operational on Linux because of stability issues we've run into on that OS, but Windows should properly benefit from this change.